A Canadian bank, Scotiabank, was found to have sensitive data exposed, some of it for months according to researchers. A wide array of information was discovered, this included documentation files and code, some of which is thought to be for mobile apps for Central and South American customers. Foreign exchange access keys, service login credentials, keys to access the bank’s backend systems and services in different parts of the world, and software blueprints were also found. “They have a foreign exchange (FX) rate SQL Server database that has had its credentials and public-private keys in the open for months. Knowing that there is a known potential for someone to tweak FX rate data, the integrity of the bank is diminished accordingly,” said the discovering researcher. After getting the report, the bank secured the repositories and stated that none of the information included would have put anyone connected to the bank at risk. However, experts say this is quite the contrary as the code could have fallen into the wrong hands and caused major issues.
Users are never recommended to store credentials as code/config in GitHub. Any sensitive data should be removed from files and access should be tightly controlled. Require 2-factor-authentication on every contributor’s GitHub account. Never let users share GitHub accounts or passwords. Any laptops or devices with access to the source code must be properly secured.